<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>There are various tools like <a href="https://www.countryipblocks.net/acl.php">https://www.countryipblocks.net/acl.php</a> (and more) that will create the datasets you need to feed iptables. There is also things like <a href="https://www.apiban.org/">https://www.apiban.org/</a> that you might want to look at or proactively blocking bad actors. APIBAN is like a good old RBL you’d use to combat spam but collects data on SIP bad actors.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>K<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>FreeSWITCH-users <freeswitch-users-bounces@lists.freeswitch.org> on behalf of Lloyd Aloysius <lloyd.aloysius@gmail.com><br><b>Reply-To: </b>FreeSWITCH Users Help <freeswitch-users@lists.freeswitch.org><br><b>Date: </b>Monday, January 25, 2021 at 10:21 PM<br><b>To: </b>FreeSWITCH Users Help <freeswitch-users@lists.freeswitch.org><br><b>Subject: </b>Re: [Freeswitch-users] Scanners and botnet vulnerability<o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><div><p class=MsoNormal><span style='font-family:"Verdana",sans-serif'>Ken, thank you for the information. Can you please let me know how to block AS numbers from IPTables?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Verdana",sans-serif'><o:p> </o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Mon, Jan 25, 2021 at 10:06 PM Ken Rice <<a href="mailto:krice@freeswitch.org">krice@freeswitch.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><p class=MsoNormal style='margin-bottom:12.0pt'>exactly those 2 lol<o:p></o:p></p><div><p class=MsoNormal>Sent from my iPhone<o:p></o:p></p></div><div><p class=MsoNormal><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='margin-bottom:12.0pt'>On Jan 25, 2021, at 16:24, Raúl Alexis Betancor Santana <<a href="mailto:rbetancor@gmail.com" target="_blank">rbetancor@gmail.com</a>> wrote:<o:p></o:p></p></blockquote></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal><o:p></o:p></p><div><p class=MsoNormal>You could tell the name, SAS on France and OVH, they are both nest of bots.<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Mon, Jan 25, 2021 at 9:31 PM Ken Rice <<a href="mailto:krice@freeswitch.org" target="_blank">krice@freeswitch.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>this is super common. this is more likely a recon attack than an actual brute force attempt. Eother that they are looking for something with auth turned off. we see tons of these things regularly. Fail to ban helps some but using a SIP RBL and  dropping traffic via prefixes associated with regions and bad actor hosts seems to be the best course of action these days.<br><br>I wont name the company, but a mjor european hosting company i drop their entire AS as its not worth the hassle.<br><br>Sent from my iPhone<br><br>> On Jan 25, 2021, at 14:49, Marc Bernard <<a href="mailto:marcb@voicemeup.com" target="_blank">marcb@voicemeup.com</a>> wrote:<br>> <br>> Hello All,<br>> <br>> Is anyone else noticing that there is more and more scanners attempting<br>> brute force with no reply to auth request resulting in logging a lot of<br>> abandoned calls ?<br>> <br>> Scenario:<br>> <br>> - A scanner send an INVITE|REGISTER with no credentials<br>> - Freeswitch responds with authentication request and a challenge is send to<br>> logs;<br>> "<br>> 2021-01-25 12:27:39.306075 [WARNING] sofia_reg.c:1792 SIP auth challenge<br>> (REGISTER) on sofia profile 'public' for [<a href="mailto:1730@1.2.3.4" target="_blank">1730@1.2.3.4</a>] from ip 5.6.7.8"<br>> - Scanner does not respond<br>> - After a while, Freeswitch logs the following:<br>> 2ae23e93-c929-4089-a594-8e7af633ca88 2021-01-25 12:28:37.506078 [WARNING]<br>> switch_core_state_machine.c:687 2ae23e93-c929-4089-a594-8e7af633ca88<br>> sofia/public/<a href="mailto:1730@1.2.3.4" target="_blank">1730@1.2.3.4</a> Abandoned<br>> <br>> --<br>> <br>> In our case, we made fail2ban more sensitive to auth failures logs which<br>> does not get triggered because of the scanner not even trying to send<br>> credentials.<br>> <br>> Wouldn't it make more sense for this log to include the IP of sip client<br>> that abandoned the call (5.6.7.8) instead of only the IP of the sip profile<br>> (1.2.3.4) ?<br>> <br>> This would allow us to have Fail2ban block this scenario more aggressively.<br>> <br>> Thoughts ?<br>> <br>> <br>> <br>> <br>> _________________________________________________________________________<br>> <br>> The FreeSWITCH project is sponsored by SignalWire <a href="https://signalwire.com" target="_blank">https://signalwire.com</a><br>> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN services.<br>> Build your next product on our scalable cloud platform.<br>> <br>> Join our online community to chat in real time <a href="https://signalwire.community" target="_blank">https://signalwire.community</a><br>> <br>> Professional FreeSWITCH Services<br>> <a href="mailto:sales@freeswitch.com" target="_blank">sales@freeswitch.com</a><br>> <a href="https://freeswitch.com" target="_blank">https://freeswitch.com</a><br>> <br>> Official FreeSWITCH Sites<br>> <a href="https://freeswitch.com/oss" target="_blank">https://freeswitch.com/oss</a><br>> <a href="https://freeswitch.org/confluence" target="_blank">https://freeswitch.org/confluence</a><br>> <a href="https://cluecon.com" target="_blank">https://cluecon.com</a><br>> <br>> FreeSWITCH-users mailing list<br>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>> <a href="https://freeswitch.com" target="_blank">https://freeswitch.com</a><br><br>_________________________________________________________________________<br><br>The FreeSWITCH project is sponsored by SignalWire <a href="https://signalwire.com" target="_blank">https://signalwire.com</a><br>Enhance your FreeSWITCH install with disruptive priced SMS and PSTN services.<br>Build your next product on our scalable cloud platform.<br><br>Join our online community to chat in real time <a href="https://signalwire.community" target="_blank">https://signalwire.community</a><br><br>Professional FreeSWITCH Services<br><a href="mailto:sales@freeswitch.com" target="_blank">sales@freeswitch.com</a><br><a href="https://freeswitch.com" target="_blank">https://freeswitch.com</a><br><br>Official FreeSWITCH Sites<br><a href="https://freeswitch.com/oss" target="_blank">https://freeswitch.com/oss</a><br><a href="https://freeswitch.org/confluence" target="_blank">https://freeswitch.org/confluence</a><br><a href="https://cluecon.com" target="_blank">https://cluecon.com</a><br><br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="https://freeswitch.com" target="_blank">https://freeswitch.com</a><o:p></o:p></p></blockquote></div><p class=MsoNormal>_________________________________________________________________________<br><br>The FreeSWITCH project is sponsored by SignalWire <a href="https://signalwire.com" target="_blank">https://signalwire.com</a><br>Enhance your FreeSWITCH install with disruptive priced SMS and PSTN services.<br>Build your next product on our scalable cloud platform.<br><br>Join our online community to chat in real time <a href="https://signalwire.community" target="_blank">https://signalwire.community</a><br><br>Professional FreeSWITCH Services<br><a href="mailto:sales@freeswitch.com" target="_blank">sales@freeswitch.com</a><br><a href="https://freeswitch.com" target="_blank">https://freeswitch.com</a><br><br>Official FreeSWITCH Sites<br><a href="https://freeswitch.com/oss" target="_blank">https://freeswitch.com/oss</a><br><a href="https://freeswitch.org/confluence" target="_blank">https://freeswitch.org/confluence</a><br><a href="https://cluecon.com" target="_blank">https://cluecon.com</a><br><br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="https://freeswitch.com" target="_blank">https://freeswitch.com</a><o:p></o:p></p></div></blockquote></div><p class=MsoNormal>_________________________________________________________________________<br><br>The FreeSWITCH project is sponsored by SignalWire <a href="https://signalwire.com" target="_blank">https://signalwire.com</a><br>Enhance your FreeSWITCH install with disruptive priced SMS and PSTN services.<br>Build your next product on our scalable cloud platform.<br><br>Join our online community to chat in real time <a href="https://signalwire.community" target="_blank">https://signalwire.community</a><br><br>Professional FreeSWITCH Services<br><a href="mailto:sales@freeswitch.com" target="_blank">sales@freeswitch.com</a><br><a href="https://freeswitch.com" target="_blank">https://freeswitch.com</a><br><br>Official FreeSWITCH Sites<br><a href="https://freeswitch.com/oss" target="_blank">https://freeswitch.com/oss</a><br><a href="https://freeswitch.org/confluence" target="_blank">https://freeswitch.org/confluence</a><br><a href="https://cluecon.com" target="_blank">https://cluecon.com</a><br><br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="https://freeswitch.com" target="_blank">https://freeswitch.com</a><o:p></o:p></p></blockquote></div></div><p class=MsoNormal>_________________________________________________________________________ The FreeSWITCH project is sponsored by SignalWire https://signalwire.com Enhance your FreeSWITCH install with disruptive priced SMS and PSTN services. Build your next product on our scalable cloud platform. Join our online community to chat in real time https://signalwire.community Professional FreeSWITCH Services sales@freeswitch.com https://freeswitch.com Official FreeSWITCH Sites https://freeswitch.com/oss https://freeswitch.org/confluence https://cluecon.com FreeSWITCH-users mailing list FreeSWITCH-users@lists.freeswitch.org http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users https://freeswitch.com<o:p></o:p></p></div></body></html>